[strongSwan] [Strongswan] Authentication based on X.509 using DN identification has failed and getting errors
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Thu Oct 4 11:21:22 CEST 2012
Hi ,
I have tried to form a site-site tunnel using RSA authentication with DN
identification. But I am getting
the below error messages . Please help me to solve this problem.
rom 'LeftGty-sha1-2048_fqdn.crt'
Oct 1 14:34:53 localhost charon: 11[CFG] added configuration 'site-site'
Oct 1 14:42:24 localhost charon: 12[NET] received packet: from
35.0.0.1[500] to 35.0.0.2[500]
Oct 1 14:42:24 localhost charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 1 14:42:24 localhost charon: 12[IKE] 35.0.0.1 is initiating an IKE_SA
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=CA,
ST=CA, L=CA, O=CA, OU=CA, CN=CA, E=CA at ca.com"
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan CA"
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=IN,
ST=TN, L=CH, O=CAS, E=saravanan at strongswan.org"
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=CH,
ST=CH, L=CH, O=strongswan, OU=strongswan, CN=strongswan, E=ca at strongswan.org
"
Oct 1 14:42:24 localhost charon: 12[IKE] sending cert request for "C=in,
ST=ar, L=ar, O=ar, OU=ar, CN=ar, E=ca at strongswan.org"
Oct 1 14:42:24 localhost charon: 12[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 1 14:42:24 localhost charon: 12[NET] sending packet: from
35.0.0.2[500] to 35.0.0.1[500]
Oct 1 14:42:26 localhost charon: 13[NET] received packet: from
35.0.0.1[500] to 35.0.0.2[500]
Oct 1 14:42:26 localhost charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
CERT CERTREQ AUTH SA TSi TSr ]
Oct 1 14:42:26 localhost charon: 13[IKE] received cert request for "C=CH,
ST=CH, L=CH, O=strongswan, OU=strongswan, CN=strongswan, E=ca at strongswan.org
"
Oct 1 14:42:26 localhost charon: 13[IKE] received end entity cert "C=CH,
O=strongswan, OU=strongswan, CN=iss"
Oct 1 14:42:26 localhost charon: 13[CFG] looking for peer configs matching
35.0.0.2[%any]...35.0.0.1[]
Oct 1 14:42:26 localhost charon: 13[CFG] no matching peer config found
Oct 1 14:42:26 localhost charon: 13[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Oct 1 14:42:26 localhost charon: 13[NET] sending packet: from
35.0.0.2[500] to 35.0.0.1[500]
Please correct me , if my configurations are not proper.
Configuration
_____________
ipsec.conf
___________
ca vpnca
cacert=ikeca-sha1-2048-fqdn.crt
auto=add
config setup
plutostart=yes
plutodebug=all
charonstart=yes
charondebug=all
nat_traversal=yes
crlcheckinterval=10m
strictcrlpolicy=no
conn %default
ikelifetime=8h
lifetime = 8h
rekeyfuzz = 100%
keyingtries=1
conn site-site
keyexchange=ikev2
left=35.0.0.2
leftcert=LeftGty-sha1-2048_fqdn.crt
ike=aes256-sha1-sha256-modp1536!
esp=aes256-sha1-sha256!
leftid="C=CH, O=strongswan, CN=strongswan1"
rightsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightid="C=CH, O=strongswan, CN=iss"
auto=add
ipsec.secrets
++++++++++
: RSA LeftGty-sha1-2048_fqdn.key
I could not suspect the certificates, because the same certificates are
working fine for fqdn identification.
I just changed the identification from fqdn to dn , as i have configured dn
parameters properly while generating
certificates.
Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121004/cc4757cb/attachment.html>
More information about the Users
mailing list